[prev in list] [next in list] [prev in thread] [next in thread] 

List:       unbound-users
Subject:    Re: Odd SERVFAIL at insecure delegation
From:       "T.Suzuki via Unbound-users" <unbound-users () lists ! nlnetlabs ! nl>
Date:       2020-11-04 2:02:23
Message-ID: 20201104110223.47845ab82734fc1339e688dd () reflection ! co ! jp
[Download RAW message or body]

On Tue, 3 Nov 2020 15:59:20 -0500
Viktor Dukhovni via Unbound-users <unbound-users@lists.nlnetlabs.nl> wrote:

> On Tue, Nov 03, 2020 at 02:39:19PM +0900, T.Suzuki wrote:
> 
> > 
> > Insecure.mufj.jp is a domain of insecure delegation from mufj.jp zone.
> > Insecure.mufj.jp is delegated to ns3.mufj.jp, 
> > but ns3 has a private(?) mufj.jp zone instead of insecure.mufj.jp zone.
> > Insecure.mufj.jp has a CNAME and a RRSIG. (but no DS record in mufj.jp)
> > 
> > With this configuration, Unbound returns SERVFAIL for insecure.mufj.jp.
> > BIND, Knot Resolver, PowerDNS Recursor return NOERROR.
> 
> One of the nameservers is returning bad data:
> 
>     https://dnsviz.net/d/insecure.mufj.jp/X6HDgw/dnssec/
> 
> This can lead to sporadic validation failures.

I know that. I set it up that way on purpose. 
The question is why Unbound does signature verification for insecure
delegation.

-- 
------------------------------------------------------------------------------
T.Suzuki 
[prev in list] [next in list] [prev in thread] [next in thread]